- ONTAP 9.1
NetApp Volume Encryption (NVE) is a software-based, data-at-rest encryption solution available starting with NetApp ONTAP 9.1 management software. NVE allows ONTAP to encrypt data and to have that data stored on disk without requiring self-encrypting drives. NVE also allows customers to use storage efficiency features that would be lost if the customer decided to encrypt at the application layer. Customers can use any existing disk with NVE, which also includes NetApp Storage Encryption (NSE) drives for double or layered encryption. NVE and NAE are the only option available for encrypting data in NetApp MetroCluster software and ONTAP Select.
- Solution Overview
NVE is composed of a software cryptographic module (CryptoMod), encryption keys, and a key manager.
- Software CryptoMod
The software CryptoMod performs the data encryption operations and generates encryption keys for the volumes (see Figure 1).
Figure 1) NVE encrypt/decrypt flow
The CryptoMod performs the data encryption at the RAID layer, which allows the storage efficiencies to work. After a read operation, data is unencrypted when the data leaves the RAID layer.
- Encryption Keys
A unique XTS-AES-256 data encryption key is generated for each volume. An encryption key hierarchy is used to encrypt and protect all volume keys. These encryption keys are never displayed, shown, or reported in an unencrypted format.
- Key Manager
The encryption keys are stored within the key manager, which keeps track of all the encryption keys used by ONTAP. The key manager can be the onboard key manager (OKM) or an external key manager that uses the OASIS Key Management Interoperability Protocol (KMIP).
- Comparison with NetApp Storage Encryption
NSE requires all drives in an HA pair to be purpose-built, self-encrypting drives. These drives perform the data encryption themselves through a hardware-accelerated mechanism. Because of the hardware acceleration, NSE systems usually outperform NVE systems when encrypting data.
NSE drives are FIPS 140-2 level 2 validated, and the CryptoMod used by NVE is FIPS 140-2 level 1 validated. FIPS 140-2 level 1 is the highest attainable level for a software module.
- Are there any platform requirements?
Yes. NVE requires that the controller CPU provide an offload called AES-NI. The controllers that have the required offload are FAS2620, FAS2650, FAS6280, FAS6290, FAS8020, FAS8040, FAS8060, FAS8080, FAS8200, FAS9000, AFF A200, AFF A300, AFF A700, AFF A700s, and all new controllers introduced with ONTAP 9.1 and later.
- In addition to a platform, what else do I need to run NVE?
You need an ONTAP software image that can encryptand the NVE software license. ONTAP images that are not capable of encrypting data are marked with a special extension.
- Is NVE a licensed feature?
Yes, it is, for global trade compliance purposes.
- I understand that ONTAP 9.1 includes NVE, which has cryptographic functions. What if I'm selling to a customer in a country where export control policies prevent the export of strong cryptographic algorithms?
ONTAP has two different builds: the normal build and a no data at rest (NODAR) encryption build. The NODAR builds are distinguishable by the word nodar in the version string of the version -v or run local version command.
- Which key managers are compatible or available with NVE?
With ONTAP 9.3, the onboard key manager (OKM) and external KMIP servers are available for NVE and NAE.
- What if I have an existing NSE system with an external KMIP key manager and want to use NVE as well?
With ONTAP 9.3, the external key manager can be used for both the NSE drives and NVE.
- Which external key managers are supported with NVE starting in ONTAP 9.3?
Refer to the Interoperability Matrix Tool (IMT).
- Must all of my volumes be encrypted, as required in NSE?
No. With NVE, you can choose which volumes are encrypted and which are not. With an NAE aggregate, unencrypted volumes are not allowed. All volumes on an NAE aggregate must be NAE encrypted or NVE encrypted.
- Can I use NSE drives as well as NVE?
Yes. NVE lets you add a layer of encryption on top of what the NSE drives already provide.
- Can I have NVE-capable and non-NVE-capable platforms in the same cluster and still use NVE?
Yes. You can have mixed platforms per the standard ONTAP platform mixing rules. Both platforms in the high availability (HA) pair must be NVE capable. The non-NVE-capable platforms in the cluster are not able to host encrypted volumes.
- What is encrypted with NVE and NAE?
For NVE, data volumes, specifically NetApp FlexVol® volumes, are encrypted. Controller root volumes and storage virtual machine (SVM) root volumes are not encrypted with NVE. For NAE, data volumes, storage virtual machine (SVM) root volumes, and Metadata Volume (MDV) for MetroCluster are encrypted. Controller root volumes (vol0) are not encrypted with NAE. For both NVE and NAE, anything that is part of the data volume is encrypted, including NetApp Snapshot™ copies and clones.
- Are the NetApp storage efficiencies still maintained when NVE and NAE are used?
Yes. As depicted in the solution overview (section 1.1), CryptoMod performs data encryption at the RAID layer, which allows storage efficiencies to stay in place because they are performed before the encryption functions.
- Does NVE and NAE work with aggregate deduplication?
You can put NVE volumes in aggregated deduplicated aggregates. The NVE volumes do not participate in the aggregate deduplication savings; the NVE volumes are ignored. NAE volumes do participate in aggregate deduplication savings.
- What type of algorithms do NVE and NAE use for encrypting data?
NVE and NAE data-at-rest encryption uses XTS-AES-256. The keys required for XTS-AES-256 are generated using a NIST SP800-90A DRBG in CTR_DRBG mode with predictive resistance and health checks always on.
- Are Snapshot copies encrypted?
- Are FlexClone volumes encrypted?
Yes. NetApp FlexClone® volumes are encrypted with the same key as the original volume.
- Can FlexClone volumes be encrypted with a different encryption key than the original volume?
Yes. The FlexClone volume must first be split from the original volume. A warning message tells the user to perform a volume move to give the split clone a new encryption key. After the user performs the volume move, the split clone has a new encryption key.
- Are data volume encryption keys reused?
No. Each data volume key is unique to that volume.
- Can I assign a specific key to a data volume?
No. Encryption keys are automatically generated when the volume is created.
- If I use NetApp SnapMirror to mirror my encrypted volume to a different cluster, is the same encryption key used at the destination?
No. The destination volume is its own volume and has its own unique key.
- Does NVE encrypt data in flight?
No. NVE is specifically for data that is stored on disk.
- If I use SnapMirror to mirror my encrypted volume to a different cluster, is the data encrypted in flight or over the wire by NVE?
No. NetApp SnapMirror® sits above the NetApp WAFL® layer, and thus the data sent by SnapMirror is not encrypted by NVE. For more information, see the solution overview in section 1.1.
- Are encryption keys replicated across clusters?
No. Encryption keys apply only to a single cluster.
- Where are data volume encryption keys stored?
With the onboard key manager, data volume encryption keys are stored in the WAFL metadata, which is not accessible by the user, and the volume location database (VLDB). With an external key manager, data volume encryption keys are stored directly on the KMIP server.
- Can my source volume be encrypted and my SnapMirror target be unencrypted, or conversely?
Yes. The source volume and destination volume can have different encryption settings.
- Is NVE FIPS 140-2 validated?
NVE is FIPS 140-2 compliant. The algorithms have been put in place so that NVE or-more precisely, the CryptoMod used by NVE and OKM-is FIPS 140-2 level 1 validated.
- Does NVE provide a special mechanism or procedure to protect against or handle data spills?
No. Because of wear-leveling in solid-state drives (SSDs), sensitive data that was on a disk before NVE was enabled could still be present. However, with external key servers introduced in NetApp ONTAP 9.3, volume keys are external to the cluster. This problem is not unique to NetApp; any vendor using SSDs has this same problem.
- How can I use NVE to nondisruptively remediate data spillage? As an example, I want to ensure deletion of personal data for GDPR "right-to-erasure."
Use NVE secure purge to cryptographically shred deleted files on NVE volumes by moving good files and deleting the key used to encrypt infected files. See the NetApp Encryption Power Guide for details.
- How do I encrypt a new data volume?
See the NetApp Volume Encryption Power Guide.
- Can I encrypt existing data volumes?
Yes. You can do so by performing a volume move. For more information, see the NetApp Volume Encryption Power Guide.
- Can I encrypt an existing data volume in place (without a volume move)?
Yes. Starting with NetApp ONTAP 9.3, a volume can be encrypted in place with the volume encryption conversion start command. However, to decrypt a volume, a volume move is still required.
- Can I encrypted an existing volume in place with NAE in ONTAP 9.6?
No. You need to do one of the following things:
- Create a new NAE aggregate with storage aggregate create -aggregate aggregate_name -node node_name -encrypt-with-aggr-key true and move volumes to it by either specifying encrypt-destination or encrypt-with-aggr-key. As volumes are added, you start to realize aggregate deduplication space savings.
- Make sure every volume in the aggregate is an NVE volume (no plain text volumes are supported on an NAE aggregate). After that is done, NAE can be enabled on the aggregate with storage aggregate modify -aggregate aggregate_name -node node_name -encrypt-with-aggr-key true. Then move the NVE volumes to the same aggregate with volume move start -vserver SVM_name -volume volume_name -destination-aggregate aggregate_name -encrypt-with-aggr-key true.
Note: Both of these options require enough free space to create a new aggregate or enough free space in the existing aggregate to complete the volume move.
For more information, see the NetApp Volume Encryption Power Guide.
- How can I view the progress of the volume encryption conversion start command?
Use the volume encryption conversion show -fields percentage-completed command.
- Can I do a volume move while an active volume encryption start is running?
Yes. If volume encryption conversion show the status in phase 1, a volume encryption conversion pause must be issued and a volume move start with -encrypt-destination true will start the volume move with a new volume data encryption key. If the volume encryption conversion show displays the status in phase 2, a volume move start with -encrypt-destination true can be started without pausing. All of this is true for a volume move on an active volume encryption rekey start.
- Is it possible to tune the volume encryption conversion process?
No. The volume encryption conversion process runs single threaded per volume. ONTAP will give priority to data access operations over the volume encryption conversion process.
- Is there a maximum number of simultaneous volume encryption conversion processes that can be run at one time?
No, but it is it is recommended to have no more than 4 combined encryption conversions or encryption volume moves per node at the same time.
- Can I instantaneously delete a volume encryption key without deleting the volume?
The volume encryption key is deleted with the volume until the volume's retention period expires. The retention period is a standard ONTAP volume feature. Until the retention period expires, the data remains encrypted on disk.
- What do I do after the encrypted volume is created?
Nothing. ONTAP makes sure that the data with that volume is encrypted.
- Can I unencrypt a data volume?
Yes. For more information, see the NetApp Volume Encryption Power Guide .
- Can I rekey an existing volume or have the encryption key changed for an encrypted volume?
Yes. For more information, see the NetApp Volume Encryption Power Guide.
- Do I have to encrypt all of my data volumes with NVE?
No. NVE lets you choose which data volumes are encrypted.
- How do I confirm which volumes are encrypted?
volume show command with the
-is-encrypted true option displays a list of the currently encrypted volumes.
- How do I transition from the onboard key manager to an external key manager, or conversely?
If you are using NSE, you need to reset the authentication keys to the default manufacturer secure ID (MSID), 0x0. If you are using NVE, you need to unencrypt all volumes. If you're coming from OKM, delete the OKM configuration and create the external key manager configuration. Or, if you're coming from the external key manager, delete the external key manager configuration and create the OKM configuration. Finally, set authentication keys for NSE drives and encrypt required volumes with NVE. For details, see the NetApp Encryption Power Guide.
- How can I require a prompt for the OKM passphrase at controller reboot?
You can opt to require the OKM passphrase by using the
-enable-cc-mode true option with the
security key-manager setup command.
- What are the circumstances where an external key manager is contacted by a node?
A node contacts the key manager when:
- Creating a key.
- At the request of a:
security key-manager querycommand
security key-manager restorecommand
security key-manager show -statuscommand
- What is the behavior when the external key manager is not accessible?
- NVE system: encrypted volumes remain offline
- NSE system: refuse to boot, see the NetApp Encryption Power Guide
- Creating a key: key is not created
- At the request of a:
security key-manager querycommand: key IDs are shown if cache is filled
security key-manager restorecommand: command will fail
security key-manager show -statuscommand: command will show unavailable
- What happens with NVE volumes if the external key manager is not available during node giveback?
The NVE volumes will be offline.
- Where can I download an NVE-capable image?
You can download an ONTAP image for release 9.1 or later from the NetApp Support site. For example, go to https://mysupport.netapp.com/NOW/download/software/ontap/9.1/download.shtml for ONTAP 9.1. (See Figure 2.)
Figure 2) ONTAP software download page
- What happens when I install an ONTAP non-NVE-capable release (for example, the version for restricted countries) over an ONTAP release that is NVE-capable?
If there are NVE volumes, the ONTAP installation should fail.
- How can I switch to an NVE-capable version (for example, the version for restricted countries) from a non-NVE-capable version?
There are two ways to accomplish the switch without going through a full upgrade process:
cluster image package delete [-version]and then use cluster image package get [-url]
system node image update [-package ] <url text> [ -replace-package [true] ]
Use cluster image update -version 9.5P5 -nodes
Use cluster image show-update-progress (When complete, a reboot takes place)
- What is the performance impact of NVE?
It depends on the customer workload, the number of active encrypted data volumes, the platform, and the disk type being used.
- Do certain platforms perform better with NVE?
Yes. Platforms with higher core counts perform better with NVE. In certain situations, on the higher end, the performance impact of NVE is negligible or unobservable. For example, a NetApp FAS8080 is less affected than a FAS8040 for the same workload and the same number of active encrypted data volumes.
- Is there a performance difference between SSDs and HDDs while using NVE?
Volumes residing in SSDs are typically placed there because of the desire for extremely low latencies. NVE extends the path length for each piece of data so that it can be noticed in some workloads and operating conditions. The number of IOPS at a given latency can be less when NVE runs on a NetApp All Flash FAS system, for example. For volumes residing in HDDs, the bottleneck in that system is the disk, and there should be little to no impact with NVE.
- Is there an impact on nonencrypted volumes?
The impact of NVE comes from extending the processing for the encrypted volumes. Unencrypted volumes should remain unaffected while operating during normal conditions.
- What if I want to enable NVE or NAE on an existing system? How do I gauge the impact?
Use the headroom capability on the system as is (no encryption) to note where the existing performance is. Then, add an NVE or NAE volume (or convert an existing volume) and use the headroom capability once more to see what changes. Remember that NVE is per volume; therefore, you can encrypt or create one at a time based on the headroom and impact.
- To prevent encryption from affecting nonencrypted volumes, a limited number of CPU cores are dedicated to encryption. What happens if the encryption cores are overloaded?
To prevent overload, NVE and NAE takes advantage of AES-NI in Intel chipsets for encryption acceleration. If the offload is saturated, the impact will be seen in IOPS.
- Can I use NVE with MetroCluster?
Yes. NVE and NAE are the only generally available data-at-rest encryption option for NetApp MetroCluster.
- Can I use NVE with ONTAP Select?
Yes. NVE is the only generally available data-at-rest encryption option for NetApp ONTAP Select.
- Can I use NVE with NetApp FlexArray® software?
Yes. As long as the controller supports NVE, you can use NVE.
- Can I use NVE with Cloud Volumes ONTAP?
Yes. Cloud Volumes ONTAP is supported starting with ONTAP 9.5.
- Is NVE supported for NetApp Flash Cache cards?
Data on the Flash Cache™ cards is encrypted by the same CryptoMod used by NVE.
- Is data in NetApp Flash Pool intelligent caching encrypted by NVE?
Yes. Data in Flash Pool™ caches is encrypted by NVE.
- Are NetApp SnapLock software and NetApp ONTAP FlexGroup volumes compatible with NVE?
Yes. Starting with ONTAP 9.2, SnapLock® software and ONTAP FlexGroup volumes are supported. SnapLock is only supported for new SnapLock volumes. Existing SnapLock volumes cannot be moved, encrypted in place or rekeyed.
- Are external (KMIP) key managers compatible with NVE?
Yes. Starting with ONTAP 9.3, external key managers are compatible with NVE.
- Is NVE supported with backup applications?
Yes. NVE is independent of the backup targets or solutions. The data presented to the backup solutions is not encrypted.
- Does NVE support data partitioning (for example, ADP/ADPv2 and so on)?
Yes. NVE is independent of the data partitioning process because the volumes are established after the partitioning process is performed.
- Can I encrypt an existing volume in place with NAE in ONTAP 9.6?
No. You need to do one of the following:
- Create a new NAE aggregate with storage aggregate create -aggregate aggregate_name -node node_name -encrypt-with-aggr-key true and move volumes to it by either specifying encrypt-destination or encrypt-with-aggr-key. As volumes are added you'll start getting the aggregate deduplication space savings.
- Make sure every volume in the aggregate is an NVE volume (no plain text volumes are supported on an NAE aggregate). Once that is done, NAE can be enabled on the aggregate with storage aggregate modify -aggregate aggregate_name -node node_name -encrypt-with-aggr-key true, then move the NVE volumes to the same aggregate with volume move start -vserver SVM_name -volume volume_name -destination-aggregate aggregate_name -encrypt-with-aggr-key true.
Note: Both these options require enough free space to create a new aggregate or in the existing aggregate to complete the volume move.
For more information, see the NetApp Volume Encryption Power Guide.